Detect Windows Wi-Fi Driver Remote Code Execution via Adjacent Network in Microsoft Sentinel
CVE-2024-30078 is a high-severity (CVSS 8.8) remote code execution vulnerability in the Windows Wi-Fi Driver. An unauthenticated attacker within Wi-Fi radio range of a target can execute arbitrary code on the victim's device by sending a specially crafted network packet. No user interaction is required. The attack vector is 'Adjacent Network' (AV:A), meaning the attacker must be on the same network segment or within Wi-Fi broadcast range. All supported Windows versions are affected (Windows 10, 11, Server 2008–2022). This vulnerability is particularly relevant for SMB environments where employees work in shared offices, co-working spaces, hotels, or coffee shops — any shared Wi-Fi environment with other devices in range becomes a potential attack surface. Despite no confirmed in-the-wild exploitation at time of disclosure, the lack of user interaction makes it a high-priority patch.
MITRE ATT&CK
- Tactic
- Initial Access Execution
KQL Detection Query
// CVE-2024-30078 — Windows Wi-Fi Driver RCE
// Detection approach: Wi-Fi driver RCE occurs at a layer below traditional endpoint telemetry.
// Best detections focus on: post-exploitation activity on wireless-connected systems,
// anomalous processes following Wi-Fi connection events, and wireless network anomalies.
let AnomalousProcessAfterWiFiConnect =
DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName in~ ("svchost.exe", "wlanext.exe", "wlansvc.dll")
or InitiatingProcessCommandLine has_any ("wlansvc", "nativewifi", "wifi")
| where FileName in~ (
"cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "rundll32.exe", "regsvr32.exe"
)
| extend ThreatIndicator = "CVE-2024-30078-WiFi-Driver-PostExploit";
let WiFiNetworkAnomalies =
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteIPType == "Public"
| where InitiatingProcessFileName in~ ("wlanext.exe", "svchost.exe")
| where InitiatingProcessCommandLine has_any ("wlansvc", "dot3svc", "WLANSVC")
| extend ThreatIndicator = "CVE-2024-30078-WiFi-Service-Outbound";
let SuspiciousWiFiEvents =
DeviceEvents
| where TimeGenerated > ago(24h)
| where ActionType in ("WifiConnectionAttempt", "WifiConnected")
| where AdditionalFields has_any (
"ad-hoc", "independent", "IBSS", // Ad-hoc/peer-to-peer networks (attack vector)
"open", "WEP" // Insecure network types
)
| extend ThreatIndicator = "CVE-2024-30078-Insecure-WiFi-Connect";
AnomalousProcessAfterWiFiConnect
| union WiFiNetworkAnomalies
| union SuspiciousWiFiEvents
| sort by TimeGenerated descDetects potential CVE-2024-30078 exploitation through post-exploitation indicators rather than the exploit itself (which occurs at driver/kernel level below standard telemetry). Signals: (1) scripting engines or cmd.exe spawned by Wi-Fi service host processes, (2) outbound network connections from Windows Wi-Fi service processes, and (3) connections to ad-hoc or open/WEP networks where proximity-based attacks are more likely.
Data Sources
Required Tables
False Positives & Tuning
- Wi-Fi provisioning services spawning helper processes during network profile management
- Corporate Wi-Fi onboarding agents that run post-connection scripts
- Windows WLAN AutoConfig service making cloud service connections for network intelligence
Other platforms for CVE-2024-30078
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Monitor Wi-Fi service for anomalous child process creation
Expected signal: Sysmon Event ID 1 — cmd.exe spawned in Wi-Fi service execution context.
Unlock Pro Content
Get the full detection package for CVE-2024-30078 including response playbook, investigation guide, and atomic red team tests.